[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Tomofumi Okubo tomofumi.okubo at gmail.com
Mon Sep 22 06:51:08 UTC 2014

Hello David,

On Sun, Sep 21, 2014 at 11:05 PM, David Conrad <david.conrad at icann.org> wrote:

> AFAICT, there is an assumption that there are two modes of potential failure: (a) a catastrophic failure in which the only option is re-bootstrapping and (b) a non-catastrophic failure in which 5011 is a (potentially) viable solution.

Yes, I fully agree.

> Is anyone arguing that we do not need to be prepared for (a), regardless of how unlikely it might be?

Given the importance of the service, we definitely need to be prepared
for the worst case. Does it hurt to be overly prepared? Absolutely

> What exactly does (b) look like? That is, what is a non-catastrophic failure that would necessitate a key roll?

Off the top of my head, circumstances for planned (non-catastrophic)
rollover is something like "theoretical" algorithm compromise (white
paper), change of recommended algorithm or key length, HSM vendor
change and periodical KSK roll (if we choose to do so).

It's more like a due diligence thing.


More information about the ksk-rollover mailing list